Catching Spammers with IDS

[Greg Martin <greg () ddos com>]

I am interested in hearing some of your stories on how to catch spammers on your network.

I know some of their possible characteristics are a definable pattern such as massive # of MX queries on local dns 
resolver 

or common of late with the big spammers is to use compromised hosts (proxy spamming) which will be thousands of 
outgoing or incoming reverse DNS lookups at high rate.

A quick google returns very little on this subject, so how are _you_ using current IDS technology to proactively look 
for spammers?  

Please share your knowledge, snort rules, bpf's anything to help bring and end to this nuisance

- Greg Martin




--------------------------------------------------------------------------
Stop hurting your network!
 
The NeVO passive vulnerability sensor continuously finds vulnerabilities, 
applications and new hosts without the need for network scanning. 
It also finds compromised systems with application-based intrusion detection. 
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------